diff --git a/test-server/configuration.nix b/test-server/configuration.nix index 5d353de..6d134c6 100644 --- a/test-server/configuration.nix +++ b/test-server/configuration.nix @@ -2,9 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, ... }: - -{ +{ config, pkgs, lib, inputs, ... }:{ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix @@ -103,6 +101,8 @@ tcpdump dig vscodium + inputs.agenix.packages."x86_64-linux".default + btop # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. # wget ]; diff --git a/test-server/flake.lock b/test-server/flake.lock index 580d230..5cd9b54 100644 --- a/test-server/flake.lock +++ b/test-server/flake.lock @@ -1,6 +1,85 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1696775529, + "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=", + "owner": "ryantm", + "repo": "agenix", + "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682203081, + "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "nixpkgs": { + "locked": { + "lastModified": 1677676435, + "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1697957990, "narHash": "sha256-LlyEQ4z1immaiZV+MQMUXM3KpNoRY/xZVm8mmN5j3yg=", @@ -18,7 +97,8 @@ }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "agenix": "agenix", + "nixpkgs": "nixpkgs_2" } } }, diff --git a/test-server/flake.nix b/test-server/flake.nix index f61e24e..b870475 100644 --- a/test-server/flake.nix +++ b/test-server/flake.nix @@ -1,9 +1,11 @@ { description = "A very basic flake"; inputs = { + # secrets management + agenix.url = "github:ryantm/agenix"; nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; }; - outputs = { self, nixpkgs, ... }: { + outputs = { self, nixpkgs, agenix }@inputs: { nixosConfigurations.server = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ @@ -12,8 +14,11 @@ ./modules/adguard.nix ./modules/git.nix ./modules/vmware-guest.nix + ./modules/github-runner.nix #./modules/home-assistant.nix idk dont like this + agenix.nixosModules.default ]; + specialArgs = { inherit inputs; }; }; }; } diff --git a/test-server/modules/github-runner.nix b/test-server/modules/github-runner.nix new file mode 100644 index 0000000..d79996f --- /dev/null +++ b/test-server/modules/github-runner.nix @@ -0,0 +1,35 @@ +{ config, pkgs, lib, inputs, ... }: +{ + nixpkgs.config.permittedInsecurePackages = [ + "nodejs-16.20.2" + ]; + + users.groups.github-actions-runner = {}; + users.users.github-actions-runner = { + isSystemUser = true; + passwordFile = config.age.secrets.github-runner-pw.path; + group = "github-actions-runner"; + extraGroups = [ "docker" ]; + }; + age.secrets.github-runner-token = { + file = ../secrets/github-runner-token.age; + owner = "github-actions-runner"; + group = "github-actions-runner"; + }; + age.secrets.github-runner-pw = { + file = ../secrets/github-runner-pw.age; + owner = "github-actions-runner"; + group = "github-actions-runner"; + }; + systemd.tmpfiles.rules = [ + "d /github-actions-runner 0770 github-actions-runner github-actions-runner -" + ]; + services.github-runner = { + enable = true; + name = "runner-oberprofis"; + tokenFile = config.age.secrets.github-runner-token.path; + url = "https://github.com/oberprofis"; + user = "github-actions-runner"; + workDir = "/github-actions-runner"; + }; +} \ No newline at end of file diff --git a/test-server/secrets/create_secrets.md b/test-server/secrets/create_secrets.md new file mode 100644 index 0000000..1c83ada --- /dev/null +++ b/test-server/secrets/create_secrets.md @@ -0,0 +1,31 @@ +agenix -e secret1.age + + +example secrets.nix file +``` +let + user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH"; + users = [ user1 ]; + + system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE"; + systems = [ system1 ]; +in +{ + "secret1.age".publicKeys = [ user1 system1 ]; +} +``` + +use secret in config +``` +age.secrets.nextcloud = { + file = ./secrets/secret1.age; + owner = "nextcloud"; + group = "nextcloud"; +}; +services.nextcloud = { + enable = true; + package = pkgs.nextcloud25; + hostName = "localhost"; + config.adminpassFile = config.age.secrets.nextcloud.path; +}; +``` \ No newline at end of file diff --git a/test-server/secrets/github-runner-pw.age b/test-server/secrets/github-runner-pw.age new file mode 100644 index 0000000..a7757b6 --- /dev/null +++ b/test-server/secrets/github-runner-pw.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 yfCCMw AgTWFlwf7Cuz40Er5yJGWS3eBr8Cmkk5FXkYAKLmJQg +BUS6ACBSelgygiTP9icrikwPtIuSIZjYSV1l7TJ+xL0 +-> E-grease 4{$,yJ A^ !FpFte< %5b +Txk3o2XFNHQ8zHxOuiQWfLx0O4Vk2NqEP3ZKqTHS8PUWIih6WzRh+6vp5Ya34rCd +n1g +--- lPdVcHYdhBlw5gNx43cbfqIGXT1ldcBeBzf7VcNlID4 +Fx[cEO:7&m;QGڵ2cf?.7 G<]7\+f~ <_2*Ois'(_avXR-;% \ No newline at end of file diff --git a/test-server/secrets/github-runner-token.age b/test-server/secrets/github-runner-token.age new file mode 100644 index 0000000..b9ee89e --- /dev/null +++ b/test-server/secrets/github-runner-token.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 yfCCMw MJo2Lt4IQxqIRygmGVYSRUiFOJ3YgAbOZ6/u8F1aCF4 +cufGP1fUOHzfSN+jbz0WiYCUBk8hC1dLMCtiDS2JaIM +-> }K-grease :E4V +x5K6POWZGfcwKwGc5U1nS38qHIzy3ZNW+d1/DpELVKRO+4D0wZ3vf9Tedw +--- RmPhiYVfU4G09dKxXSq+7XAgJGU0s3UGXBZ3lMGxwEA +(ʀbEcr4&-6~A]g\t{o9 s \ No newline at end of file diff --git a/test-server/secrets/secrets.nix b/test-server/secrets/secrets.nix new file mode 100644 index 0000000..91c41cd --- /dev/null +++ b/test-server/secrets/secrets.nix @@ -0,0 +1,8 @@ +let + nix-test-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVqEb1U1c9UX3AF8otNyYKpIUMjc7XSjZY3IkIPGOqi root@server"; + systems = [ nix-test-vm ]; +in +{ + "github-runner-token.age".publicKeys = [ nix-test-vm ]; + "github-runner-pw.age".publicKeys = [ nix-test-vm ]; +} \ No newline at end of file